29. Container Virtualization Flashcards
How did we create a virtual machine?
Start with a physical machine.
Create software (hypervisor) responsible for isolating the guest OS inside the VM
VM resources (memory, disk, networking, etc) are provided by the physical machine but visibility outside of the VM is limited
What are the three implications of creating a virtual machine?
- VM and physical machine share same instruction set, so must the host and guest
- Guest OS can provide a different application binary interface (ABI) inside the VM
- Lots of challenges in getting this to work because guest OS expects to have privileged hardware access
How do we create a virtual operating system (container)?
- Start with a real operating system.
- Create software responsible for isolating guest software inside the container.
- Container resources (processes, files, network sockets, etc) are provided by the real operating system but visibility outside the container is limited
What are the 3 implications of creating a virtual operating system (container)?
- Container and real OS share same kernel
- So applications inside and outside the kernel must share the same ABI
- Challenges in getting this to work are due to shared OS namespace
True or False: You can run Windows inside a container provided by Linux.
FALSE. Container shares the kernel with the host
True or False: You can run SUSE Linux inside an Ubuntu container.
TRUE. As long as both distributions use the same kernel, differences are confined to different binary tools and file locations
True or False: Running ps inside the container will show all processes.
FALSE. Container process namespaces is isolated from the host
What is the difference between hypervisor and container virtualization?
The hypervisor exists above the Host OS and on top of that hypervisor are a number of Guest OSs. Above each Guest OS is a copy of the binaries/libraries and then the apps.
In container virtualization, multiple copies of the binaries/libraries and apps sit on top of the Host OS.
Why virtualize an operating system?
Shares many (but not all) of the benefits of hardware virtualization with much lower overhead
Describe the three properties of Decoupling in container virtualization
- Cannot run multiple operating systems on the same machine
- Can transfer software setups to another machine as long as it has an identical or nearly identical hardware kernel
- Can adjust hardware container resources to system needs
Describe the two properties of Isolation in container virtualization
- Container should not leak information inside and outside the container
- Can isolate all of the configuration and software packages a particular application needs to run
What is the hardware virtualization system call path?
Application inside the VM makes a system call.
Trap to the host OS (or hypervisor)
Hand trap back to the guest OS
What is the OS virtualization system call path?
Application inside the container makes a system call.
Trap to the OS.
Remember all of the work we had to do to deprivilege the guest OS and deal with uncooperative machine architectures like x86? OS virtualization does not require any of this: there is only one OS!
What kind of names must the container virtualize?
Process IDs:
- top inside container shows only processes running inside container
- top outside container may show processes inside the container, but with different PIDs
File names:
- processes inside the container may have a limited or different view of the mounted file system
- file names may resolve to different names - and some file names outside the container may be removed
User names:
- containers may have different users with different roles
- root inside the container should not be root outside the container
Host name and IP address:
-processes inside the container may use a different host name and IP address when performing network operations
What resources does OS virtualization concern itself with?
IOW: The OS may want to ensure that the entire container - or everything that runs inside it - cannot consume more than a certain amount of:
CPU time
Memory
Disk or network bandwidth